Many data centers create more advanced file sharing on network file systems. This process requires user account information verification. If you are using a Linux system, you can integrate NetApp storage with LDAP to enhance security.
Most of the stored permission control can be integrated with Microsoft's Active Directory authorization, but it is not easy to configure Lightweight Directory Access Protocol (LDAP) Integration for the Linux system.
Secure File Sharing requires user authorization and verification, as required by High-level data sharing and archiving projects. If a Linux user needs to access these shares, the storage device must first identify these Linux user accounts. In addition to the Active Directory, you can also use LDAP integration, but the configuration of LDAP is complicated. The good news is that NetAPP's storage supports LDAP server verification integration. Next, you can set file access permissions on the storage, just as you do on the local Linux File Server.
Start to configure NetAPP storage and LDAP integration. Use SSH to log on to the command line mode stored in NetAPP. Enter the priv set advanced command, which allows you to set all required security parameters. Then, enter options ldap to view the current settings (you can also perform these operations on the browser webpage ):
- ams5-fas2240-A*> options ldap
- ldap.ADdomain
- ldap.base dc=example,dc=com
- ldap.base.group
- ldap.base.netgroup
- ldap.base.passwd
- ldap.enable on
- ldap.minimum_bind_level anonymous
- ldap.name
- ldap.nssmap.attribute.gecos gecos
- ldap.nssmap.attribute.gidNumber gidNumber
- ldap.nssmap.attribute.groupname cn
- ldap.nssmap.attribute.homeDirectory homeDirectory
- ldap.nssmap.attribute.loginShell loginShell
- ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
- ldap.nssmap.attribute.memberUid memberUid
- ldap.nssmap.attribute.netgroupname cn
- ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
- ldap.nssmap.attribute.uid uid
- ldap.nssmap.attribute.uidNumber uidNumber
- ldap.nssmap.attribute.userPassword userPassword
- ldap.nssmap.objectClass.nisNetgroup nisNetgroup
- ldap.nssmap.objectClass.posixAccount posixAccount
- ldap.nssmap.objectClass.posixGroup posixGroup
- ldap.passwd ******
- ldap.port 389
- ldap.servers ut01.example.local
- ldap.servers.preferred ut01.example.local
- ldap.ssl.enable off
- ldap.timeout 20
- ldap.usermap.attribute.unixaccount unixaccount
- ldap.usermap.attribute.windowsaccount windowsaccount
- ldap.usermap.base
- ldap.usermap.enable off
If any parameter settings are incorrect, you can use the options ldap. base Command to set the correct search domain:
- ams5-fas2240-A*> options ldap.base dc=commerce-hub,dc=local
After setting the search domain through the command, you need to obtain information from the LDAP directory service. The getXXbyYY command shows how the system verifies the arnaud account:
- ams5-fas2240-A*> getXXbyYY getpwbyname_r arnaud
- pw_name = arnaud
- pw_passwd = {{******}}
- pw_uid = 1002, pw_gid = 100
- pw_gecos =
- pw_dir = /home/arnaud
- pw_shell = /bin/bash
- ams5-fas2240-A*> getXXbyYY getpwbyname_r linda
- pw_name = linda
- pw_passwd = {{******}}
- pw_uid = 1001, pw_gid = 100
- pw_gecos =
- pw_dir = /home/linda
- pw_shell = /bin/bash
After the user account information sent from the LDAP server is verified, it will ensure that it works properly at all levels. To modify the configuration information of the nsswitch. conf file, you must have the read and write permissions. Use the file editor to open the/etc/nsswitch. conf file. The file should contain the following lines:
- ams5-fas2240-B> wrfile /etc/nsswitch.conf
- hosts: files dns nis
- passwd: ldap files nis
- netgroup: ldap files nis
- group: ldap files nis
- shadow: files nis
Now, the storage device can obtain user information through the LDAP server. In this way, after NetApp storage is integrated with the LDAP server user verification, the permission settings shared by the Network File System (NFS) can be normally controlled. You can use the options nfs. v4.acl. enable command to switch the NFSv4 access control list. You can also apply the Linux system acl to the NetApp storage, so that the storage can be more like the Linux File directory, with the corresponding permissions:
- ams5-fas2240-B> options nfs.v4.acl.enable on
Changes to the nfs. v4.acl. enable option affect all the members in the high availability configuration in occupied mode. Make sure that the modification parameters are consistent with the member permissions in the high-availability pairing.
NetApp storage is now fully integrated with the Linux environment, and administrators can use it as a local Linux File System.